Which of the following is the most obvious example of an attack used by hackers to get you to take an action or reveal information answer?

Pretexting is a form of social engineering used to manipulate victims into divulging sensitive information. Hackers often research their victims in advance of their first conversation. This gives the hacker a sense of the victim’s personal and professional life and assists with establishing the right pretext with which to approach the victim.

Common in spear phishing, or business email compromise, pretexting is typically phase one of a broader scheme to extract information from a victim. Ultimately, it’s an invitation to participate in a crime. It often starts with a friendly “hello” and ends with businesses losing thousands—sometimes millions—of dollars.

Below are five pretexting and social engineering examples detected by Vade:

1. Are you available?

Hackers are busy people, so it’s not surprising that they often initiate a conversation by checking on a victim’s availability. “Are you available?” is the pretext a hacker uses to determine if their chosen victim is useful to them and to establish a rapport. It also works to lower the victim’s guard as opposed to immediately making a financial request.

If the victim replies that they are available, another email will follow, possibly with instructions to wire money or purchase gift cards, or maybe just more small talk. If the victims replies that they are in fact busy, out of town, or on PTO, then they likely will not be able to carry out the hacker’s demands. When this happens, the hacker will move on to the next victim on the list.

2. I need your help

Impersonating high-profile executives is one of the most common tactics used in spear phishing. It puts pressure on the victim to act quickly and, in many cases, this pressure often causes a lapse in judgment. It’s especially effective against victims who aren’t accustomed to receiving emails from the CEO. Rather than being suspicious, the victim simply springs into action. In the below social engineering tactic–also known as CEO fraud–the hacker puts pressure on the victim by claiming to be in a meeting—incapable of completing the task himself.

Download the infographic to learn how to spot a spear phishing email.

3. Nice seeing you

If the hacker does their homework on both the impersonation victim and the email recipient, they can get a feeling of the relationship that exists between the two. In many cases, the hacker can learn highly specific details they can use as their pretext. In the below example, the hacker has learned of a recent meeting that took place between the impersonation victim and the email recipient. They use this information to create an air of familiarity, which could put the victim at ease for the payroll diversion request that follows.

4. I’m planning a surprise

In this example, the hacker informs the victim that they are planning a special surprise for either colleagues or clients, and they need their help in pulling it off. This pretext serves two ends: First, it makes the victim believe they’re doing a good deed, and second, it ensures that the victim will not inform any colleagues or superiors about the request, which gives the hacker time.

Like some of the above social engineering examples, the request also helps the hacker understand if the victim is in a position to help with the request. Again, if the hacker has reached out to the wrong person, they can move on to another target. Often, the hacker will ask the victim for the email address of the best person to contact.

5. Send me your phone number

Because of the prevalence of business email compromise, many businesses require employees to validate wire transfer and other financial transaction requests by phone. This example of pretexting sets the victim up for such a phone conversation with the hacker.

This could also set the victim up for a deepfake. Several high-profile cases of deepfakes were reported in the last year, including one UK case in which a hacker spoofed a CEO’s voice with AI software and defrauded the company out of $244,000. While phishing for a phone number could be used for the purpose of a deepfake, it could also be used for other purposes. Mobile numbers, for example, are often used as proof of identity and to unlock online accounts.

How to prevent pretexting

Pretexting involves impersonation, and to be successful the email must look legitimate. This requires email spoofing. DMARC is the most common form of protection for email spoofing, but it has limitations, including complex and continual maintenance. Additionally, DMARC blocks exact domain spoofing but not cousin domains or display name spoofing, which are far more common in spear phishing attacks, primarily due to the effectiveness of DMARC.

To prevent pretexting, businesses should look toward a more modern approach to email security than DMARC. Anti-spear phishing technology that uses artificial intelligence (AI) analyzes behaviors for signs of pretexting, scanning emails for malicious patterns. Additionally, it can detect anomalies in email traffic and in email addresses, including cousin domains and display name spoofing. Natural Language Processing (NLP), a branch of AI, analyzes language and can decipher words and phrases common in pretexting and spear phishing.

Finally, train your users to spot pretexting by sharing real-life pretexting examples with them. Often, what makes pretexting and spear phishing successful is that users are unfamiliar with the above pretexting tactics and see nothing unusual about the requests they receive. Educate them on the different types of email spoofing and train them to inspect email addresses for signs of cousin domains and display name spoofing. You should also have rules in place about financial transactions, such as validating requests over the phone or in person.

Learn to spot the tell-tale and hidden signs of spear phishing and business email compromise

A cyber attack is an attempt by cybercriminals, hackers or other digital adversaries to access a computer network or system, usually for the purpose of altering, stealing, destroying or exposing information.

Cyberattacks can target a wide range of victims from individual users to enterprises or even governments. When targeting businesses or other organizations, the hacker’s goal is usually to access sensitive and valuable company resources, such as intellectual property (IP), customer data or payment details.

Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

Common Types of Cyber Attacks

1. Ransomware

Ransomware is a type of malware that denies legitimate users access to their system and requires a payment, or ransom, to regain access. A ransomware attack is designed to exploit system vulnerabilities and access the network. Once a system is infected, ransomware allows hackers to either block access to the hard drive or encrypt files.

In ransomware attacks, adversaries usually demand payment through untraceable cryptocurrency. Unfortunately, in many ransomware attack cases, the user is not able to regain access, even after the ransom is paid.

The rise in ransomware attacks

Ransomware is one of the most common types of malware attacks today. According to the CrowdStrike Global Security Attitude Survey, which was published in November 2020, more than half of the 2,200 respondents suffered ransomware attacks over the previous 12 months.

CrowdStrike’s 2021 Global Threat Report also explored the growing use of ransomware within certain industries. Our analysis revealed that the most common targets include organizations that are conducting vaccine research and government agencies that are managing responses to COVID-19. The report also notes that ransomware attacks on manufacturing facilities have proven uniquely effective, as the time-sensitive nature of their production schedules often renders paying the fee less expensive than losing critical throughput.

Unfortunately for targets, ransomware attacks also tend to be among the more high-profile cybersecurity events, resulting in negative publicity and reputational harm. For example, in May 2021, the Colonial Pipeline, which supplies gasoline and jet fuel to the southeastern U.S., was the target of a ransomware attack by the criminal hacking group DarkSide. Service was temporarily disrupted, which impacted gas and fuel supply throughout the region. While Colonial Pipeline paid the ransom, which totaled $4.4 billion, the network operated very slowly.

2. Malware

Malware — or malicious software — is any program or code that is created with the intent to do harm to a computer, network or server. Malware is the most common type of cyberattack, mostly because this term encompasses many subsets such as ransomware, trojans, spyware, viruses, worms, keyloggers, bots, cryptojacking, and any other type of attack that leverages software in a malicious way.

The rise of fileless malware

Because organizations are taking steps to defend against traditional ransomware attacks, some cybercriminals are adapting their techniques to circumvent these enhanced security measures. One of these advanced techniques involves “fileless” malware, which is when malicious code is either embedded in a native scripting language or written straight into memory using a program such as PowerShell. In a fileless malware attack, it is also common for attackers to exploit a public-facing web server, and then use a web shell to move laterally in the environment.

Traditional antivirus products and even application whitelisting products are completely blind to attacks that do not use malware. This underscores the need for organizations to have advanced cybersecurity tools that protect against both known and unknown threats.

To learn more about how to protect against such attacks, please see our related video and infographic.

3. Malware as a Service (MaaS)

Another growing trend is the use of Malware as a Service (MaaS) for carrying out cyberattacks. In a MaaS model, hackers are hired to conduct ransomware attacks on behalf of a third-party. This model allows anyone who wishes to carry out a cyberattack to do so, even if they lack the technical skills or experience.

4. DoS and DDoS Attacks

A Denial-of-Service (DoS) attack is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations.

In a DoS attack, users are unable to perform routine and necessary tasks, such as accessing email, websites, online accounts or other resources that are operated by a compromised computer or network. While most DoS attacks do not result in lost data and are typically resolved without paying a ransom, they cost the organization time, money and other resources in order to restore critical business operations.

The difference between DoS and Distributed Denial of Service (DDoS) attacks has to do with the origin of the attack. DoS attacks originate from just one system while DDoS attacks are launched from multiple systems. DDoS attacks are faster and harder to block than DOS attacks because multiple systems must be identified and neutralized to halt the attack.

In 2018, the FBI shut down the largest DDoS-for-hire site on the dark web, which led to a dip in DDoS attacks. However, numbers are now once again on the rise. [According to recent research, DDoS attacks increased by 151% in the first half of 2020.]

Part of the reason for this trend is the explosion of connected devices and Internet of Things (IoT) technology. Unlike traditional endpoints, like computers and smartphones, most IoT devices have relatively lax security controls, making them susceptible to attacks and increasing their ability to be overtaken by a botnet.

COVID-19 further exacerbated DDoS attacks in that the rapid shift to remote work led to a proliferation of often poorly secured connected devices. This dramatically expanded the attack surface at a time when many IT organizations were preoccupied with basic tasks like ensuring remote access and support services.

Example: The AWS DDoS Attack in 2020

Virtually any organization can fall victim to a DDoS attack, as evidenced by the February 2020 attack on Amazon Web Services (AWS). Considered one of the largest, high-profile DDoS attacks ever reported, this attack targeted an unknown AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) reflection, which amplifies data sent to the victim’s IP address through a server vulnerability. The attack, which lasted three days, caused significant revenue losses for AWS customers and reputational harm to AWS.

5. Phishing

Phishing is a type of cyberattack that uses email, SMS, phone, social media, and social engineering techniques to entice a victim to share sensitive information — such as passwords or account numbers — or to download a malicious file that will install viruses on their computer or phone.

Common phishing examples in the COVID era

As noted above, COVID-19 dramatically increased cyberattacks of all kinds, including phishing attacks. During the lockdown period, people generally spent more time online and also experienced heightened emotions — the virtual recipe for an effective phishing campaign.

Throughout 2020, the CrowdStrike data science team closely tracked COVID-19-related malspam (malicious spam). Most attacks urged the recipient to download an attachment, which was malware that then acted as a keylogger or password stealer. Some of the most common scenarios and techniques included:

• Impersonating a doctor and claiming to be able to treat or cure COVID-19.
• Impersonating a government organization that is sharing important public health information.
• Impersonating a courier service that is attempting to deliver a package.

For more information about common phishing techniques in the COVID era, please access our companion post on phishing attacks.

The Most Impersonated Organizations in Phishing Scams

While the most well-known phishing attacks usually involve outlandish claims, such as a member of a royal family requesting an individual’s banking information, the modern phishing attack is far more sophisticated. In many cases, a cyber criminal may masquerade as common retailers, service providers or government agencies to extract personal information that may seem benign such as email addresses, phone numbers, the user’s date of birth, or the names of family members.

To assess exactly which organizations are being impersonated the most in phishing scams, the CrowdStrike data science team submitted an FOIA request to the Federal Trade Commission and asked for the total number of phishing scams reported as impersonating the top 50 brands and all U.S. federal agencies.

The results show the U.S. public which emails from brands and organizations they need to be the most cautious of, and which are the most lucrative to impersonate for phishing criminals. Topping the list is e-retailer Amazon, followed by technology companies Apple (2), Microsoft (4) and Facebook (8). Other organizations include: the Social Security Administration (3); retail banks, such as Bank of America (5) and Wells Fargo (6); telecommunications providers such as AT&T (7) and Comcast (10); retailers such as Costco (11), Walmart (12) and Home Depot (18); and courier services such as FedEx (9) and UPS (14).

To view the complete list, please access our companion post on phishing attacks.

6. MITM Attack

A man-in-the-middle (MITM) attack is a type of cyberattack in which a malicious actor eavesdrops on a conversation between a network user and a web application. The goal of a MITM attack is to surreptitiously collect information, such as personal data, passwords or banking details, and/or to impersonate one party to solicit additional information or spur action. These actions can include changing login credentials, completing a transaction or initiating a transfer of funds.

While MITM attackers often target individuals, it is a significant concern for businesses and large organizations as well. One common point of access for hackers is through software-as-a-service (SaaS) applications. The cyber attacker can then use these applications as an entryway to the organization’s wider network and potentially compromise any number of assets, including customer data, IP or proprietary information about the organization and its employees.

The sudden influx of remote workers, which relied on SaaS applications to complete routine tasks during COVID-19 lockdown periods, as well as an increase in connected devices, has significantly increased the opportunity for MITM attacks over the past two years.

The next frontier: Machine-in-the-Middle

[Although generally less well-known than ransomware or malware attacks, MITM attacks are among the most widely used methods available to cybercriminals. According to some estimates, 35 percent of incidents where cyber weaknesses have been exploited involved MItM attacks.]

As with malware attacks, advances in cyber security defenses have made MITM and other network-based attacks increasingly difficult to execute. As a result, cybercriminals have now begun to target the endpoint instead of the network in these attacks. For example, the hacker may target a user’s computer and install a root Certificate Authority (CA) and then generate valid digital certificates that allow them to impersonate any website. Since the root CA is controlled by the hacker, encrypted communication sent by the user can be intercepted. In this way, the concept of ‘Man-in-the-Middle’ becomes ‘Machine-in-the-Middle.’

One recent MITM attacker identified by CrowdStrike was a Trickbot module called shaDll. The module installed illegitimate SSL certificates on infected computers, which allowed the tool to gain access to the user network. The module was then able to redirect web activity, inject code, take screenshots and gather data.

Example: The Fall of WebNavigatorBrowser

Another attack recently highlighted by CrowdStrike relates to Chromium-based Adware Browser WebNavigatorBrowser. This web browser falls into the category of adware because it injects ads into search results. The developer based it on Google’s free and open-source browser software project, Chromium. It is copyrighted and signed by Better Cloud Solutions LTD, a legally registered company in the U.K.

In early 2020, Sectigo, (formerly known as Comodo) a well-known Certificate Authority (CA), revoked WebNavigatorBrowser’s certificate, making this attack vector a thing of the past.

For more information, please read our companion post: The Rise and Fall of WebNavigatorBrowser: Chromium-based Adware Browser.

7. Cross-Site Scripting (XSS)

Cross Site Scripting (XSS) is a code injection attack in which an adversary inserts malicious code within a legitimate website. The code then launches as an infected script in the user’s web browser, enabling the attacker to steal sensitive information or impersonate the user. Web forums, message boards, blogs and other websites that allow users to post their own content are the most susceptible to XSS attacks.

Though an XSS attack targets individual web application visitors, the vulnerabilities lie in the application or web site. As such, organizations that needed to deploy a remote workforce may have inadvertently exposed itself to this type of attack by making internal applications available via web or by deploying cloud-based services. This increased the attack surface at a time of significant strain for businesses and IT teams, in particular.

8. SQL Injections

A SQL Injection attack is similar to XSS in that adversaries leverage system vulnerabilities to inject malicious SQL statements into a data-driven application, which then allows the hacker to extract information from a database. Hackers use SQL Injection techniques to alter, steal or erase data.

The main difference between XSS and SQL Injection has to do with who is targeted. The XSS is a client-side vulnerability that targets other application users, whereas the SQL injection is a server-side vulnerability that targets the application’s database.

One of the most common targets of SQL injection attacks are gamers and the gaming industry. According to Akamai’s State of the Internet report, attacks on the gaming industry increased three-fold between 2019 and 2020, reaching more than 240 million web application attacks. SQL injections were the most common attack vector; this technique was used to access player login credentials and other personal information.

Once again, this uptick is attributable to increased time spent online due to COVID-19 lockdowns and social distancing.

9. DNS Tunneling

DNS Tunneling is a type of cyberattack that leverages domain name system (DNS) queries and responses to bypass traditional security measures and transmit data and code within the network.

Once infected, the hacker can freely engage in command-and-control activities. This tunnel gives the hacker a route to unleash malware and/or to extract data, IP or other sensitive information by encoding it bit by bit in a series of DNS responses.

DNS tunneling attacks have increased in recent years, in part because they are relatively simple to deploy. Tunneling toolkits and guides are even readily accessible online through mainstream sites like YouTube.

10. Password Attack

Password attacks—any cyberattack wherein a hacker attempts to steal a user’s password—are one of the leading causes of both corporate and personal data breaches.

Password attacks are on the rise because they are an effective means for gaining access to a network or account. Since many users do not set strong passwords, reuse existing passwords across multiple sites or fail to regularly change their password, hackers can exploit these weaknesses.

[According to the Verizon 2021 Data Breach Investigations Report, compromised credentials, such as weak passwords, are the primary point of access for hackers. More than six in ten breaches (61%) originate with user credentials.]

11. Birthday Attacks

Birthday attacks are a type of brute force attack that attempts to identify two matching hash values to crack a password. The attack takes its name from the probability theory that within a group of 30 people, there is a 70% likelihood that two people share the same birthday.

12. Drive By Attack

A drive-by attack, sometimes called a drive-by download, is a more sophisticated form of a malware attack that leverages vulnerabilities in various web browsers, plugins, or apps, to launch the attack. It does not require any human action to initiate. Once the attack is underway, the hacker can hijack the device, spy on the user’s activity or steal data and personal information.

Though a drive-by attack is far more complex to deploy, they are becoming more common as cybersecurity measures become more advanced and sufficiently deflect traditional malware attacks.

13. Cryptojacking

Cryptojacking is the unauthorized use of a person’s or organization’s computing resources to mine cryptocurrency.

Cryptojacking programs may be malware that is installed on a victim’s computer via phishing, infected websites, or other methods common to malware attacks; they may also be small pieces of code inserted into digital ads or web pages that only operate while the victim is visiting a particular website.

Cryptojacking attacks have waned since 2018 due to increased attention from law enforcement, as well as the decommissioning of Coinhive, the leading crypto-mining site for Monero cryptocurrency. However, such attacks have since increased once again due to the rising value of cryptocurrencies.

14. IoT-Based Attacks

An IoT attack is any cyberattack that targets an Internet of Things (IoT) device or network. Once compromised, the hacker can assume control of the device, steal data, or join a group of infected devices to create a botnet to launch DoS or DDoS attacks.

[According to the Nokia Threat Intelligence Lab, connected devices are responsible for nearly one-third of mobile network infections – more than double the amount in 2019.]

Given that the number of connected devices is expected to grow rapidly over the next several years, cybersecurity experts expect IoT infections to grow as well. Further, the deployment of 5G networks, which will further fuel the use of connected devices, may also lead to an uptick in attacks.

Download the white paper to see the breakdown of new trends in online extortion threats.

The Rise of Cyber Attacks

In recent years, cyberattacks have become more sophisticated, increasing the need for a comprehensive cybersecurity strategy and tooling.

The world recorded a steep increase in cyber attacks and cybercrime in 2020. According to CrowdStrike’s 2020 Threat Hunting Report, which analyzes intrusion attempts within the CrowdStrike customer network, more breaches were attempted in the first half of 2020 than in all of 2019. The report revealed that the CrowdStrike threat hunting team blocked roughly 41,000 potential intrusions from January through June 2020, as compared to 35,000 intrusions during the entirety of the previous year. This represents a 154% increase in cyberattacks year-on-year.

This increase may be attributed to several factors including:

• The COVID-19 pandemic and stay-at-home orders, which dramatically increased the amount of time people spent online;
• The shift to remote work (an existing trend that was rapidly accelerated due to COVID-19), which increased the use of personal connected devices, as well as personal networks, thereby expanding the attack surface for organizations;
• The proliferation of connected devices and Internet of Things (IoT) technology, which provide a plethora of entry points for cybercriminals;
• The shift to the cloud, which requires a fundamentally different security strategy as compared to traditional on-premises networks;
• 5G technology, which is further fueling the use of connected devices; and
• The availability of hackers “as-a-service” which makes ransomware and other malware attacks available to those who lack the technical expertise to carry out such an attack personally.

How To Protect Against Cyber Attacks

A comprehensive cybersecurity strategy is absolutely essential in today’s connected world. From a business perspective, securing the organization’s digital assets has the obvious benefit of a reduced risk of loss, theft or destruction, as well as the potential need to pay a ransom to regain control of company data or systems. In preventing or quickly remediating cyberattacks, the organization also minimizes the impact of such events on business operations. Finally, when an organization takes steps to deter adversaries, they are essentially protecting the brand from the reputational harm that is often associated with cyber events — especially those that involve the loss of customer data.

Below are some recommendations we offered in our 2020 Global Security Attitude Survey to help organizations improve their security posture and ensure cybersecurity readiness:

• Continue to invest in digital transformation to keep pace with the eCrime and nation-state threats. Replacing legacy, on-premises technologies with cloud-native platforms — such as CrowdStrike Falcon®® — that are designed to protect remote and hybrid environments will be critical to ensuring protection in the new work-from-anywhere environments that are here to stay.
• Focus on protecting all workloads wherever they are rather than maintaining security models built around network perimeters. A solution such as CrowdStrike® Falcon Cloud Workload Protection provides breach protection across private, public, hybrid and multi-cloud environments so you can rapidly adopt and secure technology across any workload.
• Integrate identity protection with run-time protection of workloads, endpoints and mobile devices to alleviate the strain on IT teams, and keep your organization secure by allowing your team to plan, implement and migrate to the cloud-native applications you need to secure your business and employees — no matter where they are located.
• Strive to meet the 1-10-60 rule that CrowdStrike introduced in 2018: one minute to detect a cyber threat, 10 to investigate and 60 to contain and remediate. The survey reveals that it takes organizations an average of 117 hours to even detect an incident or intrusion (reflecting very little improvement from 120 hours in 2019) — and many more to investigate and contain it. The CrowdStrike Falcon® platform enables security teams to shorten the time to investigate and understand a cybersecurity threat by providing deep context, seamlessly integrated threat intelligence and sophisticated visualizations.